The interpreter engine for the core JavaScript language, independent of the browser's object model. File ONLY core JavaScript language bugs in this category. For bugs involving browser objects such as "window" and "document", use the "DOM" component. For bugs involving calls between JavaScript and C++, use the "XPConnect" component.

(In reply to Christian Holler (:decoder) from comment #0)
> The following testcase asserts on ionmonkey revision 6688ede89a36 (run with
Christian, I can't reproduce this on the given cset. Does it still happen on tip? If so, could you show the stack?

Created attachment 648045[details][diff][review]
Patch
Decoder is having a hard time reproing this, but the stack trace he posted points out what's happening in a pretty obvious way. See attached patch.
Basically, when adding the return-object filter to an inlined function (which takes a return value from a constructor and substitutes it with the |this| if it happens to be a primitive), the code chooses to add it to the same block as the definition which is returned. However, that block isn't always the exit block for the inlined function. The code unterminates the exit block so it can add instructions, but doesn't unterminate any other blocks. So this assert gets raised in situations where an inlined function returns a definition that is defined in an earlier block.
Simple fix: add the filter object definition to the exit block explicitly.